From f70866fb2353dba162fc296f644e7ce77af6d79f Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Mon, 23 Jul 2007 10:16:54 +0000
Subject: SSPI authentication on Windows. GSSAPI compatible client when doing
 Kerberos against a Unix server, and Windows-specific server-side
 authentication using SSPI "negotiate" method (Kerberos or NTLM).

Only builds properly with MSVC for now.
---
 doc/src/sgml/client-auth.sgml | 40 +++++++++++++++++++++++++++++++++++++++-
 doc/src/sgml/libpq.sgml       | 22 +++++++++++++++++++++-
 2 files changed, 60 insertions(+), 2 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index e3fa1c8b27d..dd3bd8be4d4 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.99 2007/07/18 12:00:47 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.100 2007/07/23 10:16:53 mha Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -358,6 +358,17 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
         </listitem>
        </varlistentry>
 
+       <varlistentry>
+        <term><literal>sspi</></term>
+        <listitem>
+         <para>
+          Use SSPI to authenticate the user. This is only
+          available on Windows. See <xref
+          linkend="sspi-auth"> for details.
+         </para>
+        </listitem>
+       </varlistentry>
+
        <varlistentry>
         <term><literal>krb5</></term>
         <listitem>
@@ -677,6 +688,33 @@ local   db1,db2,@demodbs  all                         md5
    
   </sect2>
 
+  <sect2 id="sspi-auth">
+   <title>SSPI authentication</title>
+
+   <indexterm zone="sspi-auth">
+    <primary>SSPI</primary>
+   </indexterm>
+
+   <para>
+    <productname>SSPI</productname> is a <productname>Windows</productname>
+    technology for secure authentication with single sign-on. 
+    <productname>PostgreSQL</productname> will use SSPI in
+    <literal>negotiate</literal> mode, which will use
+    <productname>Kerberos</productname> when possible and automatically
+    fall back to <productname>NTLM</productname> in other cases.
+    <productname>SSPI</productname> authentication only works when both
+    server and client are running <productname>Windows</productname>.
+   </para>
+
+   <para>
+    When using <productname>Kerberos</productname> authentication, 
+    <productname>SSPI</productname> works the same way 
+    <productname>GSSAPI</productname> does. See <xref linkend="gssapi-auth">
+    for details.
+   </para>
+
+  </sect2>
+
   <sect2 id="kerberos-auth">
    <title>Kerberos authentication</title>
 
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index e1ee97ce182..117bc5f3509 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.238 2007/07/18 12:00:47 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.239 2007/07/23 10:16:53 mha Exp $ -->
 
  <chapter id="libpq">
   <title><application>libpq</application> - C Library</title>
@@ -290,6 +290,17 @@ PGconn *PQconnectdb(const char *conninfo);
      </listitem>
     </varlistentry>
 
+    <varlistentry>
+     <term><literal>gsslib</literal></term>
+     <listitem>
+      <para>
+       GSS library to use for GSSAPI authentication. Only used on Windows.
+       Set to <literal>gssapi</literal> to force libpq to use the GSSAPI
+       library for authentication instead of the default SSPI.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry>
      <term><literal>service</literal></term>
      <listitem>
@@ -4220,6 +4231,15 @@ authenticating with Kerberos 5 or GSSAPI.
 </listitem>
 <listitem>
 <para>
+<indexterm>
+ <primary><envar>PGGSSLIB</envar></primary>
+</indexterm>
+<envar>PGGSSLIB</envar> sets the GSS library to use for GSSAPI 
+authentication. 
+</para>
+</listitem>
+<listitem>
+<para>
 <indexterm>
  <primary><envar>PGCONNECT_TIMEOUT</envar></primary>
 </indexterm>
-- 
cgit v1.2.3